ClawHub

rcs-message

Security checks across malware telemetry and agentic risk

Overview

This SMS/RCS skill is purpose-aligned, but it needs review because it can bulk-send real messages and stores API secrets locally in plaintext with limited warning.

Review before installing. Use this only with a trusted messaging account and provider, verify every recipient and message before sending, avoid bulk or forwarded messages without clear consent, and prefer temporary/test credentials. If used, delete the saved credential files or rotate the APP_SECRET when finished.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill exposes capabilities to read environment variables, read/write local files, and make network requests, yet it declares no permissions to the user. In a messaging skill that handles credentials and sends messages to external phone numbers via a third-party endpoint, this lack of transparency is security-relevant because it prevents informed consent and hides the true trust boundary.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented behavior materially understates and misrepresents what the skill does: it stores and reuses credentials locally, persists them in the user's home directory, and sends data to a hardcoded third-party service while omitting these facts from the high-level description. In a mass-messaging context, this is dangerous because users may unknowingly disclose secrets, contact data, and message content to an external provider under assumptions that do not match actual behavior.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill acquires API credentials from environment variables or interactive prompts and persists them to a local session file, expanding its behavior beyond simple message sending into secret handling. Storing long-lived credentials locally increases the risk of credential disclosure through filesystem access, backups, or multi-user host exposure, especially because the user-facing flow does not clearly justify or constrain this storage.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The README advertises the skill for very broad intents such as sending texts, checking texts, using SMS, and forwarding or mass sending received messages. In an agent setting, this expansive invocation scope can cause the skill to activate for common everyday messaging requests and potentially handle sensitive communications or bulk forwarding without clear, narrow user intent boundaries.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The README explains configuration and usage of an external API endpoint but does not clearly warn that recipient phone numbers, message bodies, template parameters, and possibly fallback content will be transmitted to a third-party service. Users or integrators may unknowingly send sensitive personal or business data off-platform, creating privacy, compliance, and data-handling risks.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The invocation text is broad enough to trigger on generic requests about SMS, texting, checking messages, forwarding, or mass sending, which increases the chance the agent invokes the skill in situations the user did not intend. For a capability that can transmit messages to real phone numbers and potentially act on sensitive communications, overbroad routing creates meaningful risk of privacy violations or unintended outbound messaging.

Missing User Warnings

High
Confidence
95% confidence
Finding
The skill promotes sending, forwarding, and mass sending to phone numbers without any visible warning about consent, privacy, spam, or misuse risks. In a messaging skill, that omission is particularly dangerous because the feature set can be abused for unsolicited outreach, disclosure of personal data, or unauthorized forwarding of private messages.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The usage examples encourage bulk messaging and explicitly recommend a `--debug` mode that shows detailed request information, but they do not warn that request logs may contain phone numbers, message contents, template parameters, or API-related metadata. In a messaging skill handling real phone numbers and potentially sensitive content, this can lead to privacy leakage through terminals, CI logs, shell history, or shared support artifacts.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The code writes application credentials to a predictable local JSON file without a clear warning that secrets will be stored persistently. On shared systems or systems with weak home-directory protections, another local process or user may recover the credentials and use the messaging API on the victim's behalf.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This code persists APP_ID and APP_SECRET in plaintext JSON under the user's home directory without any warning, consent flow, or filesystem permission hardening. In the context of an RCS messaging skill that can send mass messages, theft of these credentials could allow unauthorized use of the messaging account, abuse of carrier-integrated functions, and exposure of sensitive business communications.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal